3-DAY TRAINING 7 – Offensive Open Source Intelligence


CAPACITY: 20 pax


USD2199 (early bird)

USD2999 (normal)

Early bird registration rate ends on the 31st of May



RECONNAISSANCE, the very first phase of any Risk Assessment Exercise, is often underestimated by many
security professionals. Every pentester’s arsenal should, however, include Open Source Intelligence (OSINT)
and active reconnaissance for an effective assessment and measure the security posture against real world
This advanced training not only talks about using OSINT to extract data but also focuses on the significance of
this data and how it could be directly enriched and used offensively for attacking and compromising Modern
Digital Infrastructures.
We will take a deep-dive into various methodologies for extracting useful information from the internet.
Furthermore, we will cover how this extracted information can be used in attack scenarios to get initial
foothold in multiple ways within an organisation’s network and further exploit it to gain and maintain
elevated access. The course will cover topics like:

  • Mapping the Attack Surface
  • Enriching Collected Data
  • Cloud Recon
  • Employee Profiling
  • Attacking Federation Server
  • Exploiting Domain Trust
  • Practical Social Engineering, etc.

This 3 days course covers a wide range of topics ranging from recon to launching active targeted attacks,
to indulge the participants into real world scenarios, simulated lab environment and case studies so that
they can get proficient in techniques and methodologies. Each participant will also be provided ONE
MONTH FREE ACCESS to our Private Lab mimicking the modern age infrastructure, as well as decoy
accounts and organization’s social presence, where they can practise the skills learnt during the course.

Key Learning Objectives

  • Learn to perform reconnaissance of modern organizations with hybrid infrastructure.
  • Gain a deep understanding of how to collect, enrich and utilize actionable intelligence to launch targeted attacks.
  • Learn how to move laterally within a modern network, escalate privilege and maintain access.
  • Perform OSINT on live targets and attacks in lab environment.

Who Should Attend

  • Penetration Testers
  • Social Engineers
  • Red/Blue-Teamers
  • Bug Bounty Hunters
  • Anyone with an interest in privacy, social media and OSINT

Prerequisite Knowledge

  • Basics of penetration testing.

Hardware / Software Requirements

  • Attendees should have a laptop with admin access on it, minimum 4GB RAM and at least 30 GB of free HDD space.
  • Laptop should have a browser and should support Wifi Connection in order to reach Internet.
  • Any OS is fine (Windows/Mac/Linux). Everything else will provided in the Student kit.
  • Note: Please avoid Chromebooks.

What Students Will Be Provided With

  • One Month Private Lab Access
  • Student Pack which contains
    • Slide deck
    • Custom VM
    • OSINT and Pentest Cheat-Sheets
    • Custom Scripts
    • Answers to Lab Exercises

Course Outline

Agenda – Day 1

  • Target Scoping and Mapping the Attack Surface
    • ASN ID, IP Lookups, Allocated IP Range Extraction, Domain IP History
      • WhoIs, Reverse WhoIs, IP Lookup, Identifying ASN IDs
      • Allocated IP Ranges for Specific ASN ID
      • DNS Records, Mass-Resolve
    • Subdomain Enumeration
      • Advanced Google Dorking, Certificate Transparency, LDNS Walking
      • Internet Scan Repositories
    • Organization’s Social Media Profiling
      • Company profiling through Crunchbase, zoominfo, etc.
    • Identifying Organization’s Associations
      • Acquisitions, Mergers, Vendors, Customers etc.
      • Identifying domains/sub-organizations/acquisitions under a company.
    • Hunting Code Repositories, Dark Web, Paste(s) Sites and Leaked Data
      • Exploring Code Aggregators
      • Searching Data in Onion and Paste Sites
    • Employee(s) Profiling
      • Crunchbase, Email Hunter, Linkedin, ZoomInfo
      • Automated Tools and Chrome Addons
    • Cloud Recon
      • Identifying Server Instances
      • Discovering Cloud Storage Objects
      • Federation/AD Server Discovery
  • Enriching OSINT Data (scanning, ports, shodan, screenshots)
    • Generating Username/Password Patterns
    • Bucket/Blogs/Spaces Pattern Generation
      • Custom Scripts for Generating Common Bucket/Spaces/Blobs names
      • Bucket/Spaces Finder
    • Tech Stack Profiling
      • Wappalyzer, Build-with, Job Portal
      • Tech Forums
    • Port Scanning (Active/Passive)
      • Using Hacker Search Engines
      • Nmap, Mass-Scan
    • Capturing Screenshots of Exposed Service
      • Screenshots for Websites and other services
      • Tools / Custom Scripts
    • Identifying SSO/Login/Admin/VPN Portal(s)
      • Identifying Login URLs using Spidering and Regex Patterns
      • Identifying Third Party SSO Integrations
    • Explore Breached Password Databases
      • HIBP/Breach-or-Clear/etc.
      • Locating and Extracting Public Dumps
    • Metadata Extraction
      • Spidering and Google Dorking to Find Documents
      • Extracting EXIF
    • Automating CSE for Dork Matching
      • Accumulating Dorks from GHDB
      • Creating and Configuring a CSE

Agenda – DAY 2

  •  Attacking and Exploitation
    • Targeted Credential Spraying on Infrastructure Assets and Third Party Authentication
      • Spraying Credentials on Login/SSO/Admin/VPN Portals/Third Party Service
      • Bypassing OTP Login using User Configurations
    • Compromising Business Communication Infrastructure (BCI)
      • Identifying Communication Infrastructure
      • Access User Communication Using API Keys/Credentials/Access Tokens, etc.
    • Exploring the Compromised Assets [Bonus Lab Exercise]
      • Explore Groups, Channels, Privileges, Shared Files, etc.
      • Identify Credentials, API keys, Server Secrets, Internal Domain Information, etc.
    • Attacking Network Services using collated data
      • Running Basic Automated checks on Network services
      • Password Spraying on Network Services
      • Attacking DB Services
    • Stealing information from Buckets/Blobs
      • Understanding Permission Types on Cloud Objects
      • Cloud Storage Object Hijacking
      • Exploiting Applications using Cloud Storage Objects
    • Attacking Cloud Server Instances
      • Understanding Default Cloud Configurations
      • AWS Security Groups
      • Exploiting IAM Rules
    • Attacking Federation Servers/Domain Controller Servers
      • Understanding Access Controls
      • Crafting Federation Certificates
    • Mapping Forest Environment
      • Enumerating Domain and Forest Information
      • Active Directory Recon
    • Exploiting Domain Trust
      • Understanding Domain Trusts
      • Enumerating Trusts and Data Enumeration Across Trusts

Agenda – Day 3

  • Exploring Human Attack Surface
    • Identifying Potential Human Targets
    • Attack Planning: Compromise the Unreachable Domain
  • Practical Social Engineering
    • User Profiling
      • Users’ Interests, Sleeping Activity, Social Accounts
      • Users’ Digital Footprint, Code, Blogs, etc.
    • Generating Reasonable Pretext(s) based on Identified information
      • Watering Hole Attack
      • Identifying Forums/Portals used by Users
      • Infecting the Watering Holes and Inviting Target Users
    • Spear Phishing and Targeted Client Side Exploitation
      • Phishing using Targeted Pretext(s)
    • Dropping Payloads using BCI
      • Gaining Reverse Shells
  •  Post Exploitation & Persistence
    • Privilege Escalation and Lateral Movement in Windows Environment
      • Understanding Token Stealing, Pass The Hash, SYSVOL, LLMNR Poisoning
      • Moving from Local Admin to Domain User
    • Dumping Privileged User Credentials
      • Dumping Clear Text Passwords using Mimikatz
      • Domain User to Domain Administrator
    • Compromising AD and Network Persistence
      • Understanding Golden Ticket, Silver Ticket, Skeleton Keys etc.
      • Generating Golden Ticket

Location: TRAINING ROOMS Date: August 26, 2019 Time: 9:00 am - 6:00 pm Sudhanshu Chauhan Shubham Mittal